site2site tunnel issue

Unanswered Question
Jul 22nd, 2009

Hi all, I have a problem with a VPN between a 857 router and ASA 5510. From log I can't understand what's the issue.

Debug:

*Jul 22 10:58:14.895: IPSEC(ipsec_process_proposal): invalid local address 1.1.1.1

*Jul 22 10:58:14.895: ISAKMP:(2003): IPSec policy invalidated proposal with error 8

*Jul 22 10:58:14.895: ISAKMP:(2003): phase 2 SA policy not acceptable! (local 1.1.1.1 remote 2.2.2.2)

857 conf:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxx address 2.2.2.2

crypto isakmp fragmentation

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel 2.2.2.2

set peer 2.2.2.2

set transform-set ESP-3DES-SHA

set pfs group2

match address 100

!

ASA conf:

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map TELEFIN_LAN_map 1 match address OUTSIDE_1_cryptomap

crypto map TELEFIN_LAN_map 1 set pfs

crypto map TELEFIN_LAN_map 1 set peer 1.1.1.1

crypto map TELEFIN_LAN_map 1 set transform-set ESP-3DES-SHA

crypto map TELEFIN_LAN_map 1 set security-association lifetime seconds 28800

crypto map TELEFIN_LAN_map 1 set security-association lifetime kilobytes 4608000

crypto map TELEFIN_LAN_map interface OUTSIDE

crypto isakmp enable OUTSIDE

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key *

Anyone have idea of the possible problem?

TIA Enrico.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
epasqualotto Wed, 07/22/2009 - 04:57

The ip address of two peers are correct, for physical interface what do you mean? Which check?

Thanks Enrico.

hsbcsydney Wed, 07/22/2009 - 05:16

Try setting the crypto map pfs on the ASA to group2 so that it matches the router.

crypto map TELEFIN_LAN_map 1 set pfs group2

epasqualotto Thu, 07/23/2009 - 23:16

On the 857 router:

access-list 100 permit ip 172.17.0.0 0.0.255.255 172.31.0.0 0.0.255.255

access-list 100 permit ip 172.17.0.0 0.0.255.255 172.30.0.0 0.0.255.255

access-list 101 deny ip 172.17.0.0 0.0.255.255 172.31.0.0 0.0.255.255

access-list 101 deny ip 172.17.0.0 0.0.255.255 172.30.0.0 0.0.255.255

access-list 101 permit ip 172.17.0.0 0.0.255.255 any

ip nat inside source route-map SDM_RMAP_1 pool net-ibs overload

route-map SDM_RMAP_1 permit 1

match ip address 101

On ASA

access-list DEV_Plant_nat0_outbound extended permit ip 172.31.0.0 255.255.0.0 172.17.0.0 255.255.0.0

access-list DEV_Plant_nat0_outbound extended permit ip 172.30.0.0 255.255.0.0 172.17.0.0 255.255.0.0

access-list OUTSIDE_1_cryptomap extended permit ip 172.31.0.0 255.255.0.0 172.17.0.0 255.255.0.0

access-list OUTSIDE_1_cryptomap extended permit ip 172.30.0.0 255.255.0.0 172.17.0.0 255.255.0.0

I hope this is all the necessary...

fmjiang1966 Fri, 07/24/2009 - 07:57

Hi,

You missed the following on ASA:

crypto map TELEFIN_LAN_map 1 ipsec-isakmp

####

phase 2 SA policy not acceptable! (local 1.1.1.1 remote 2.2.2.2)

########

The dedug message essentially says: phase 2 SA policy not matching, and was not acceptable. After making changes, remove and re-apply crypto map.

Have it a try.

Fuming

epasqualotto Sun, 08/02/2009 - 23:41

If I add the line:

crypto map TELEFIN_LAN_map 1 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

ERROR: Unable to initialized crypto map entry

Actions

This Discussion